A malware scanner 2, for malware such as computer viruses, worms, Trojans and the like, utilizes the external call characteristics associated with known items of malware to identify the presence of malware within a computer file. Malware written in a high level language when compiled can take a variety of different forms as object code, but these different object code forms will usually share external call characteristics to a sufficient degree to allow the presence of such external call characteristics to properly and accurately generically identify different compiled variants of the source code malware.
|
8. A method of detecting a computer program containing malware, comprising:
searching said computer program for external call instructions;
comparing said external call instructions within said computer program with at least one predetermined external call instruction characteristic determined from a plurality of external calls and corresponding to known malware; and
identifying said computer program as containing malware if said external call instructions within said computer program match a predetermined external call instruction characteristic corresponding to known malware,
deleting one or more files associated with known malware, wherein the one or more predetermined external call instruction characteristics comprise
predetermined sets characterizing external calls, and wherein at least one of the predetermined sets characterizing external calls includes at least one wildcard external call marker that provides a match to any external call within a particular range within the computer program, wherein said sets characterizing external calls have associated characterizing relative position information specifying relative position requirements for matching external calls within said computer program.
15. An apparatus for detecting a computer program containing malware using a processor and a memory, said apparatus being configured to:
search said computer program for external call instructions;
compare said external call instructions within said computer program with at least one predetermined external call instruction characteristic determined from a plurality of external calls and corresponding to known malware; and
identify said computer program as containing malware if said external call instructions within said computer program match a predetermined external call instruction characteristic corresponding to known malware;
delete one or more files associated with known malware, wherein the one or more predetermined external call instruction characteristics comprise predetermined sets characterizing external calls, and wherein at least one of the predetermined sets characterizing external calls includes at least one wildcard external call marker that provides a match to any external call within a particular range within the computer program, wherein said sets characterizing external calls have associated characterizing relative position information specifying relative position requirements for matching external calls within said computer program.
1. A computer program product embodied on a non-transitory tangible computer readable medium and configured to:
search code operable to search said computer program for external call instructions;
compare said external call instructions within said computer program with at least one predetermined external call instruction characteristic determined from a plurality of external calls and corresponding to known malware; and
identify said computer program as containing malware if said external call instructions within said computer program match a predetermined external call instruction characteristic corresponding to known malware;
delete one or more files associated with known malware, wherein the one or more predetermined external call instruction characteristics comprise predetermined sets characterizing external calls, and wherein at least one of the predetermined sets characterizing external calls includes at least one wildcard external call marker that provides a match to any external call within a particular range within the computer program, wherein said sets characterizing external calls have associated characterizing relative position information specifying relative position requirements for matching external calls within said computer program.
2. A computer program product as claimed in
3. A computer program product as claimed in
4. A computer program product as claimed in
5. A computer program product as claimed in
6. A computer program product as claimed in
analyzing link information associated with said computer program; and
analyzing a location of said computer program within a file to identify a boundary between said computer program and the joined run-time library.
7. A computer program product as claimed in
a computer virus;
a worm;
and a Trojan.
9. A method as claimed in
10. A method as claimed in
11. A method as claimed in
12. A method as claimed in
13. A method as claimed in
analyzing link information associated with said computer program; and
analyzing a location of said computer program within a file to identify a boundary between said computer program and the joined run-time library.
14. A method as claimed in
a computer virus;
a worm;
and a Trojan.
16. The apparatus as claimed in
17. The apparatus as claimed in
18. The apparatus as claimed in
19. The apparatus as claimed in
20. The apparatus as claimed in
analyzing link information associated with said computer program; and
analyzing a location of said computer program within a file to identify a boundary between said computer program and the joined run-time library.
21. The apparatus as claimed in
a computer virus;
a worm; and
a Trojan.
|
1. Field of the Invention
This invention relates to the field of data processing systems. More particularly, this invention relates to the detection of malware, such as, for example, computer viruses, worms, Trojans and the like, within computer programs.
2. Description of the Prior Art
It is known to provide malware detection systems that examine the code of a computer program to identify characteristics corresponding to known items of malware. These characteristics can be considered to be signatures of the viruses. Common approaches utilise binary search strings to look for these characteristics and checksums to detect the alteration of known computer programs.
The known techniques are not well suited to generically detect programs written in high level languages, such as C or VisualBasic. A problem with programs written in such high level languages is that if they are recompiled with other compilers or compiler options or the source code changed in a relatively minor manner, then the binary search strings needed to detect them are significantly altered. This alterations means that a signature developed to detect a particular variant of an item of malware written in a high level language will often fail to detect a minor variant thereof. As an example, if the source code for a Trojan is available on the Internet, then there often occur many dozens of variants of the Trojan which re-use some or all of the source code that has been made publicly available. Whilst the different items of malware so produced from the same source code have functional similarities, it is difficult with known techniques to develop a signature capable of detecting such variants.
The present invention addresses the problem of generically detecting groups of programs produced from the same source code.
Viewed from one aspect the present invention provides a computer program product for controlling a computer to detect a computer program containing malware, said computer program product comprising:
The present technique recognises that compiled program code reflects the source code from which it was produced in the sense that external calls performed by the program tend to appear in a characteristic order reflecting their appearance in the source code. Even a simple program to read and add the line of text to a file may make the following external calls: read the registry, open a file, read a file, write a file and close a file. Programs with a reasonable level of functionality written in contemporary programming forms, such as in the Win32 environment, typically perform thousands of external calls. The program carries out so many of these external calls that their quantity, order, location, distribution and/or other characteristics are a good way of identifying the programs concerned from their functionality without a requirement to fully emulate their action. Thus, by analysing the external calls present within a computer program a fingerprint for selectively identifying that computer program may be produced and malware written in a high level language can be detected in a variety of different compiled forms by detecting the common characteristics of the external calls made by those different compiled forms.
It will be appreciated that the external calls of which the characteristics are identified can take a variety of different forms. These external calls can be calls to an associated operating system, calls to a dynamic link library associated with the computer program and/or calls to a run-time library joined with the computer program by the compiler.
A characteristic of preferred embodiments is that the searching of the computer program for external calls will search the entire computer program as it may not be possible to determine in advance that the external calls, if present, will occur at some particular location within the computer program.
The predetermined external call instruction characteristics can take a wide variety of different forms. One particularly preferred type of characteristic is the identification of a predetermined set of characterising external calls within a computer program. It will be appreciated that these calls could take place a variety of different sequences, it is the presence of such a collection of calls together, possibly within predetermined relative positions of one another, which is characteristic of the malware to be identified.
The predetermined sets of characterising external calls can include logic within their definition of the characteristics being searched e.g. such a preferred embodiment can incorporate wildcard external call markers whereby any external call occurring at a particular point or within a particular range is considered as matching irrespective of its characteristics.
Further external call characteristics that can be examined are the presence of parameter values associated with external calls, e.g. within a predetermined relative location of particular external calls.
As a preliminary step in the analysis of a computer program which may contain malware, preferred embodiments of the present technique serve to analyse the computer program to determine identifying characteristics of external calls prior to searching the computer program for those external calls. As an example, the link information within an import table or the like is examined and the computer program searched to identify any associated run-time library in order that calls to links identified within the import table or locations within the run-time library are identified as external calls which will be subject to comparison with the predetermined external call characteristics.
It will be appreciated that the present technique could be used to identify a variety of different types of malware, such as, for example, computer viruses, worms and Trojans.
Viewed from another aspect the present invention provides a method of detecting a computer program containing malware, said method comprising the steps of:
Viewed from a further aspect the present invention provides apparatus for detecting a computer program containing malware, said apparatus comprising:
The above, and other objects, features and advantages of this invention will be apparent from the following detailed description of illustrative embodiments which is to be read in connection with the accompanying drawings.
In accordance with the present technique, the import table 32 is examined in combination with the call instructions within the computer program 30 to determine the characteristics of an API external call which can then be matched against a database of external call characteristics known to correspond to malware. The Win32 PE file 28 is also initially examined to identify the boundaries of the RTL 34 (e.g. by utilising similar techniques whereby the characteristic external API calls made by the RTL 34 may be detected and used to identify the start and end of the RTL 34). Other known characteristics of the RTL could also be used to identify its boundaries. Once the boundaries of the RTL 34 are known, a call in the computer program to a location within the RTL 34 will be classified as an RTL external call which can form part of the characteristics of a known item of malware to be detected.
Although illustrative embodiments of the invention have been described in detail herein with reference to the accompanying drawings, it is to be understood that the invention is not limited to those precise embodiments, and that various changes and modifications can be effected therein by one skilled in the art without departing from the scope and spirit of the invention as defined by the appended claims.
Teblyashkin, Ivan Alexandrovich, Muttik, Igor Garrievich
Patent | Priority | Assignee | Title |
10021124, | Jul 01 2003 | SecurityProfiling, LLC | Computer program product and apparatus for multi-path remediation |
10050988, | Jul 01 2003 | SecurityProfiling, LLC | Computer program product and apparatus for multi-path remediation |
10104110, | Jul 01 2003 | SecurityProfiling, LLC | Anti-vulnerability system, method, and computer program product |
10154055, | Jul 01 2003 | SecurityProfiling, LLC | Real-time vulnerability monitoring |
11003776, | Sep 26 2012 | BLUVECTOR, INC | System and method for automated machine-learning, zero-day malware detection |
11126720, | Sep 26 2012 | BLUVECTOR, INC | System and method for automated machine-learning, zero-day malware detection |
8776027, | Mar 06 2009 | Microsoft Technology Licensing, LLC | Extracting and collecting platform use data |
8984644, | Jul 01 2003 | SecurityProfiling, LLC | Anti-vulnerability system, method, and computer program product |
9100431, | Jul 01 2003 | SecurityProfiling, LLC | Computer program product and apparatus for multi-path remediation |
9117069, | Jul 01 2003 | SecurityProfiling, LLC | Real-time vulnerability monitoring |
9118708, | Jul 01 2003 | SecurityProfiling, LLC | Multi-path remediation |
9118709, | Jul 01 2003 | SecurityProfiling, LLC | Anti-vulnerability system, method, and computer program product |
9118710, | Jul 01 2003 | SecurityProfiling, LLC | System, method, and computer program product for reporting an occurrence in different manners |
9118711, | Jul 01 2003 | SecurityProfiling, LLC | Anti-vulnerability system, method, and computer program product |
9225686, | Jul 01 2003 | SecurityProfiling, LLC | Anti-vulnerability system, method, and computer program product |
9292688, | Sep 26 2012 | ACUITY SOLUTIONS CORPORATION; BLUVECTOR, INC | System and method for automated machine-learning, zero-day malware detection |
9350752, | Jul 01 2003 | SecurityProfiling, LLC | Anti-vulnerability system, method, and computer program product |
9665713, | Sep 26 2012 | ACUITY SOLUTIONS CORPORATION; BLUVECTOR, INC | System and method for automated machine-learning, zero-day malware detection |
9832216, | Nov 21 2014 | ACUITY SOLUTIONS CORPORATION; BLUVECTOR, INC | System and method for network data characterization |
Patent | Priority | Assignee | Title |
5802277, | Jul 31 1995 | LENOVO SINGAPORE PTE LTD | Virus protection in computer systems |
6029256, | Dec 31 1997 | JPMORGAN CHASE BANK, N A ; MORGAN STANLEY SENIOR FUNDING, INC | Method and system for allowing computer programs easy access to features of a virus scanning engine |
6192512, | Sep 24 1998 | TREND MICRO INCORPORATED | Interpreter with virtualized interface |
6873960, | Apr 08 2003 | ACCESS SECURITY PROTECTION, L L C | Methods for reducing fraud in healthcare programs using a smart card |
6956928, | May 05 2003 | Bruker AXS, Inc | Vertical small angle x-ray scattering system |
6971019, | Mar 14 2000 | CA, INC | Histogram-based virus detection |
6973577, | May 26 2000 | JPMORGAN CHASE BANK, N A ; MORGAN STANLEY SENIOR FUNDING, INC | System and method for dynamically detecting computer viruses through associative behavioral analysis of runtime state |
7017187, | Jun 20 2000 | CITIGROUP GLOBAL MARKETS, INC | Method and system for file blocking in an electronic messaging system |
7093239, | Jul 17 2000 | PALO ALTO NETWORKS, INC | Computer immune system and method for detecting unwanted code in a computer system |
7099916, | Jan 06 2000 | TREND MICRO INCORPORATED | System and method for downloading a virus-free file certificate from a file server |
7269851, | Jan 07 2002 | McAfee, Inc | Managing malware protection upon a computer network |
7367056, | Jun 04 2002 | CA, INC | Countering malicious code infections to computer files that have been infected more than once |
7793346, | Jan 17 2003 | JPMORGAN CHASE BANK, N A , AS ADMINISTRATIVE AGENT | System, method, and computer program product for preventing trojan communication |
20020129277, | |||
20020178375, | |||
20030101381, | |||
20030135791, | |||
20030159070, | |||
20030229801, | |||
20040015712, | |||
20040025042, | |||
WO9845778, |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Mar 24 2003 | MUTTIK, IGOR GARRIEVICH | NETWORKS ASSOCIATES TECHNOLOGY, INC | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 013928 | /0563 | |
Mar 25 2003 | TEBLYASHKIN, VAN ALEXANDROVICH | NETWORKS ASSOCIATES TECHNOLOGY, INC | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 013928 | /0563 | |
Apr 01 2003 | McAfee, Inc. | (assignment on the face of the patent) | / | |||
Nov 19 2004 | NETWORKS ASSOCIATES TECHNOLOGY, INC | McAfee, Inc | MERGER SEE DOCUMENT FOR DETAILS | 016593 | /0812 | |
Dec 20 2016 | McAfee, Inc | McAfee, LLC | CHANGE OF NAME AND ENTITY CONVERSION | 043665 | /0918 | |
Sep 29 2017 | McAfee, LLC | MORGAN STANLEY SENIOR FUNDING, INC | SECURITY INTEREST SEE DOCUMENT FOR DETAILS | 045056 | /0676 | |
Sep 29 2017 | McAfee, LLC | JPMORGAN CHASE BANK, N A | CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE PATENT 6336186 PREVIOUSLY RECORDED ON REEL 045055 FRAME 786 ASSIGNOR S HEREBY CONFIRMS THE SECURITY INTEREST | 055854 | /0047 | |
Sep 29 2017 | McAfee, LLC | JPMORGAN CHASE BANK, N A | SECURITY INTEREST SEE DOCUMENT FOR DETAILS | 045055 | /0786 | |
Sep 29 2017 | McAfee, LLC | MORGAN STANLEY SENIOR FUNDING, INC | CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE PATENT 6336186 PREVIOUSLY RECORDED ON REEL 045056 FRAME 0676 ASSIGNOR S HEREBY CONFIRMS THE SECURITY INTEREST | 054206 | /0593 | |
Oct 26 2020 | JPMORGAN CHASE BANK, N A , AS COLLATERAL AGENT | McAfee, LLC | RELEASE OF INTELLECTUAL PROPERTY COLLATERAL - REEL FRAME 045055 0786 | 054238 | /0001 | |
Mar 01 2022 | McAfee, LLC | JPMORGAN CHASE BANK, N A , AS ADMINISTRATIVE AGENT AND COLLATERAL AGENT | SECURITY INTEREST SEE DOCUMENT FOR DETAILS | 059354 | /0335 | |
Mar 01 2022 | MORGAN STANLEY SENIOR FUNDING, INC , AS COLLATERAL AGENT | McAfee, LLC | RELEASE OF INTELLECTUAL PROPERTY COLLATERAL - REEL FRAME 045056 0676 | 059354 | /0213 | |
Mar 01 2022 | McAfee, LLC | JPMORGAN CHASE BANK, N A , AS ADMINISTRATIVE AGENT | CORRECTIVE ASSIGNMENT TO CORRECT THE THE PATENT TITLES AND REMOVE DUPLICATES IN THE SCHEDULE PREVIOUSLY RECORDED AT REEL: 059354 FRAME: 0335 ASSIGNOR S HEREBY CONFIRMS THE ASSIGNMENT | 060792 | /0307 |
Date | Maintenance Fee Events |
Oct 21 2015 | M1551: Payment of Maintenance Fee, 4th Year, Large Entity. |
Oct 17 2019 | M1552: Payment of Maintenance Fee, 8th Year, Large Entity. |
Dec 18 2023 | REM: Maintenance Fee Reminder Mailed. |
Jun 03 2024 | EXP: Patent Expired for Failure to Pay Maintenance Fees. |
Date | Maintenance Schedule |
May 01 2015 | 4 years fee payment window open |
Nov 01 2015 | 6 months grace period start (w surcharge) |
May 01 2016 | patent expiry (for year 4) |
May 01 2018 | 2 years to revive unintentionally abandoned end. (for year 4) |
May 01 2019 | 8 years fee payment window open |
Nov 01 2019 | 6 months grace period start (w surcharge) |
May 01 2020 | patent expiry (for year 8) |
May 01 2022 | 2 years to revive unintentionally abandoned end. (for year 8) |
May 01 2023 | 12 years fee payment window open |
Nov 01 2023 | 6 months grace period start (w surcharge) |
May 01 2024 | patent expiry (for year 12) |
May 01 2026 | 2 years to revive unintentionally abandoned end. (for year 12) |